Re: Trying to install pix 515 between cisco 827h dsl router and

stevephamilton · ‎02-28-2003

I am trying to install a pix 515 behind my cisco 827h adsl router. I use the adsl line to provide internet access to my workstations. I cannot access the internet after installing with the following configurations. I set the workstations gateway to 128.23.176.142. When I use the configuration for the router without the pix and put in the address 128.23.176.142 assigned to eth0 on the router, I get access to the internet. But when I change the inside of the router to 192.168.1.1 and chanconfigure the outside of the pix with 192.168.1.2 and the inside of the pix with 128.23.176.142 I cannot connect to the internet. Any help would be greatly appreciated.

Configuration used for the Cisco 827h adsl router:

(config)#enable secret xxx

(config)#bridge irb

(config)#int e0

(config-if)#ip address 192.168.1.1 255.255.255.0

(config-if)#no shut

(config-if)#no ip directed-broadcast

(config-if)#ip nat inside

(config-if)#int atm0

(config-if)#no ip add

(config-if)#no shut

(config-if)#no ip directed-broadcast

(config-if)#ip nat outside

(config-if)#no atm ilmi-keepalive

(config-if)#pvc 8/35

(config-if-atm-vc)#encap aal5snap

(config-if-atm-vc)#bridge-group 1

(config-if)#int BVI 1

(config-if)#ip add 63.162.206.148 255.255.255.192

(config-if)#no ip directed-broadcast

(config-if)#ip nat outside

(config-if)#ip nat inside source list 1 interface BVI 1 overload

(config)#ip classless

(config)#ip route 0.0.0.0 0.0.0.0 63.162.206.129

(config)#no ip http server

(config)#access-list 1 permit 128.23.176.0 0.0.0.255

(config)#bridge 1 protocol ieee

(config)#bridge 1 route ip

(config)#line con 0

(config-line)#password xxxxx

(config-line)#login

(config-line)#transport input none

(config-line)#stopbits 1

(config-line)#line vty 0 4

(config-line)#password xxxxx

(config)#exit

Configuration used for the Pix 515:

nameif eth0 outside security0

nameif eth1 inside security100

interface eth0 auto

interface eth1 auto

ip address outside 192.168.1.2 255.255.255.0

ip address inside 128.23.176.142 255.255.255.0

hostname pixfirewall

arp timeout 14400

no failover

names

pager lines 24

logging buffered debugging

nat (inside) 0 128.23.176.0 255.255.255.0

rip inside default

no rip inside passive

no rip outside default

no rip outside passive

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

mtu outside 1500

mtu inside 1500

wolfrikk · ‎02-28-2003

There is not global statement.

Global (outside) 1 interface

That will allow NAT to use the outside interface IP.

stevephamilton · ‎02-28-2003

I added the command:

global (outside) 1 interface

But still cannot connect to the internet from workstations.

wolfrikk · ‎02-28-2003

I noticed that you are using private ip addresses on the outside interface. Is the DSL router doing NAT. With some of the DSL Routers, you can configure them for bridging. You could then enable NAT on the PIX and configure the PIX outside interface with a static IP obtained from your ISP, or configure it to autonegotiate the IP address from your ISP. You may have to call you ISP to see if their equiptment can handle this.

rjain · ‎02-28-2003

Try to define global statement on PIX. If it does not work than remove the NAT from the dsl router. Because you are double natting one is on PIX and another DSL. Sos remove the NAT from DSL.

litouch · ‎03-02-2003

I think you can resolve this problem if you add a adsl modem and don't use your dsl router.

515E with the latest version now supports pppoe!

But I don't know why your current config does't work :-(

I think it can work till you post your question.

Trying to install pix 515 between cisco 827h dsl router and my network